New features aim to shore up Java’s flagging security

Oracle has added new features to Java designed to make it harder for hacked or malicious websites to carry out drive-by malware attacks that exploit underlying vulnerabilities in the widely used software framework.

As Ars reported Wednesday, some security experts say the growing prevalence of attack code exploiting flaws that will never be fixed in an older, widely used version is one factor causing the security of Java to take a dangerous turn for the worse. That's largely the result of Oracle's move in April to stop issuing security updates for Java version 6. Many large companies still use the older release because their Java apps don't work on the latest one, putting the enterprises in the difficult position of choosing compatibility over the security of their employee desktop computers. Apple, Facebook, and Twitter are just some of the companies that have experienced breaches in the past year that targeted Java running on employee computers.

A new feature in Java 7 Update 40 is aimed at ameliorating this predicament. It's a change to the local security policy that allows large customers to specify a limited number of apps that will run on older versions of Java. Now known as a deployment rule set, the new instructions use a digitally signed certificate to whitelist specific apps, often referred to as JARs or java archive files. Those not on the list will be dropped, or possibly run on the latest Java version.

"The Deployment Rule Set feature is optional and shall only be used internally in an organization with a controlled environment," Java developers explained. "If a JAR file that contains a rule set is distributed or made available publicly, then the certificate used to sign the rule set will be blacklisted and blocked in Java."

The new feature will have little effect on home users. Ars continues to recommend that individuals carefully evaluate their system needs and consider uninstalling Java altogether, keeping the Java runtime installed but uninstalling all Java browser plugins, or using a dedicated browser for those sites that require Java and using a different browser for viewing all other pages.

Updated at add "in an older, widely used version" to the second paragraph.

Promoted Comments

Java is a great concept. The implementation leaves a bit to be desired.

However, I suspect that an even bigger issue is Oracle ending support for Java 6 less than two years after Java 7 was released. I think that some people who invested in custom developed software are going to be very hesitant to have it developed in Java next time around. Having to support bug fixes in your software is a pain. Having to to do a porting effort and extensive testing to move to a new Java version two years after developing to the latest version because Oracle refuses to continue providing their own bug fixes sounds like something that would result in major policy changes.

Many large companies still use the older release because their Java apps don't work on the latest one

This one should read

article wrote:

Many large companies still use the older release because they don't properly maintain their software with the latest versions of frameworks that they chose to utilize

Have you ever seen how long it takes large companies to approve a new version of a piece of software? I'm talking like a new version of Word, or Pidgin, or whatever.

Asking them to approve an entirely new framework, impacting untold numbers of applications? What crack are you smoking? We aren't talking software with minimal impact. In some cases, we're talking core applications, where downtime is measured in millions of dollars per unit time (which can be as little as seconds).

Ars continues to recommend that individuals carefully evaluate their system needs and consider uninstalling Java altogether, keeping the Java runtime installed but uninstalling all Java browser plugins, or using a dedicated browser for those sites that require Java and using a different browser for viewing all other pages.

There is nothing wrong with having the Java runtime installed. Simply removing Java browser plugins is more than enough to keep you safe from this string of vulnerabilities. Quit spreading FUD that you know nothing about Dan.

"keeping the Java runtime installed but uninstalling all Java browser plugins" <- right there it's an option!

But seriously, if someone doesn't need Java why should they have it installed? Otherwise, you end up with software that never gets upgraded.

And what's the support for the suggestion I don't write about sloppy security in all kinds of other platforms?

Dunno, did you write articles about this same problem for Flash, Windows or Webbrowsers? I mean I generally try to read all the security articles on ars but that doesn't mean I wouldn't miss some. The problem here isn't sloppy security after all! The bugs are all already fixed! The problem is about people not running the newest version of the software.

If you wrote an article about the horrible state of Java's auto updater (and the fact that 64bit Java still doesn't have one - under Windows at least) and how this causes people to have outdated Java versions - that would a) maybe get Oracle to work a bit harder on this problem and b) certainly not meet as much criticism as these articles because clearly there's a problem that should be addressed (some people will always complain certainly)

But "Software X is horribly vulnerable when people don't apply security patches" is such a general theme that's true for every software ever that picking specifically on Java seems uninteresting at least.

Ars continues to recommend that individuals carefully evaluate their system needs and consider uninstalling Java altogether, keeping the Java runtime installed but uninstalling all Java browser plugins, or using a dedicated browser for those sites that require Java and using a different browser for viewing all other pages.

There is nothing wrong with having the Java runtime installed. Simply removing Java browser plugins is more than enough to keep you safe from this string of vulnerabilities. Quit spreading FUD that you know nothing about Dan.

"keeping the Java runtime installed but uninstalling all Java browser plugins" <- right there it's an option!

But seriously, if someone doesn't need Java why should they have it installed? Otherwise, you end up with software that never gets upgraded.

However, I suspect that an even bigger issue is Oracle ending support for Java 6 less than two years after Java 7 was released. I think that some people who invested in custom developed software are going to be very hesitant to have it developed in Java next time around. Having to support bug fixes in your software is a pain. Having to to do a porting effort and extensive testing to move to a new Java version two years after developing to the latest version because Oracle refuses to continue providing their own bug fixes sounds like something that would result in major policy changes.

Oracle does support Java 6 - just not for you and me. They have this Java For Business thing that allows support contract holders to get support for older versions of Java for longer period of time. So if you bundled JRE with your app - you can presumably deploy the JFB updated JRE with your app.

I can understand if you just irrationally hate Java. There are plenty of people here who are fanboys of or haters of any of Java, Apple, Microsoft, Windows, iOS, Android, etc, etc.

Do you suppose that some people have looked rationally at their choices and picked Java?

Given that Java is so widely used, do you suppose that there might be some reason for that? The reason may not apply to you, and different factors may influence your rational decision to use something else. But don't suppose that people using Java are irrational.

Java has the most amazing bytecode runtime system that has yet been devised. No matter what source language you write in that compiles to JVM bytecode. (JVM = Java Virtual Machine)

You can run the same JVM bytecode on any platfform. You can source level debug. You can dynamically reload methods.

The JVM aggressively optimizes code and dynamically (JIT) compiles JVM bytecode to native code. Code is only compiled to native code if it will make an actual performance difference, based on actual continuous ongoing performance measurements within the running JVM. Also the JVM aggressively inlines code. (Remember I'm talking about bytecode here, not source code.)

But you can also dynamically reload code into a running JVM. So what happens if method A inlines the code of method B, but you later reload the code of method B thus making method A now have obsolete inlined code? The JVM understands this and also recompiles method A and any other methods that inlined the obsolete method B. Call me when your python runtime can do that.

The JVM garbage collector has been the garbage collection research platform for the last decade and a half. The JVM has a choice of multiple GC sophisticated algorithms. All of which are highly tunable.

Production JVMs often run for a very long time and some have dozens or even HUNDREDS of GIGABYTES of heap -- that's memory not disk -- and very short GC pauses (tens of milliseconds or less) due to the sophistication of JVM's GC. Call me when your python (or C#) can do that.

Suppose you're running on a 64-bit JVM, but with less than 32 GB of memory. The JVM can optimize pointers to fit into 32 bits instead of 64 bits. (The low three bits of pointers are assumed to be zero. All objects begin on 8 byte boundaries anyway.) But this is all transparent to your bytecode, let alone being transparent to your source code.

All of this on a bytecode VM that has none of the buffer overruns or pointer problems of C. No double deleting of an object. No deleting of an object still in use. No casting integers to pointers, etc. Everything is safe.

This is just some of the good parts of Java. There's much more.

Don't confuse the problems of how Web Browsers allow horrible interactions between JavaScript code in the browser and a Java Applet in a sandbox. This was always a bad idea, just like Flash and ActiveX were bad ideas. Don't blame the Java language and runtime for this.

Java is the Cobol of the 21st century. And for the same reason. So much business software has been written for the JVM (regardless of source language) that it isn't going away anytime soon.

You can get sophisticated monitoring and logging of a running JVM, from a remote location. Can you do that in any of your other proposed systems? I can watch graphs of memory usage, cpu usage, I can log and get graphs of all sorts of measurable things of a production JVM from my office half a continent away and across national borders (but within the same company private network). And all using free tools. There are even better commercial tools.

Oh, and there are multiple JVM's available. Not just Oracle's.

And application servers? There are multiple of those. I can take a web application and literally plug in into a commercial application server (written in Java) instead of using Apache Tomcat -- if I wanted to. Without recompiling. Even on an IBM mainframe which is very different than a Windows or Linux PC.

When people say write once run anywhere, they mean distribute the binary, not the source code to anywhere. I can give you a compiled web application (eg, "WAR" file suffix) and you could run it on a PowerPC based IBM server, or an Oracle server on SPARC, or on, say Tomcat on Windows or Tomcat on Linux on an ARM processor. That's not the same thing as sending you my python script and having you run it (and know how to run it) on python on different platforms.

I don't have anything against Python, in case you get that idea. I actually like it. I just use the right tool for the right job. And Java is one of those tools. And it isn't for everything. But it really IS for some things.

Don't think people are irrational for choosing Java -- even after looking at alternatives.

Also, I hope this satisfied the question about naming any good points of Java.

I don't mind you doing your work. The article is fine and your doing a good job.

But I can kind of see where they could get the impression you are not doing it right. With all those newsposts about Java recently (here and elsewhere) you could get the impression your constantly making a big deal out of Java problems while not highlighting security problems in other software nearly as much.

I appreciate your support and fairness, MaestroMaus. Thanks. But how can anyone who reads even a small percentage of my coverage make the argument I highlight the security problems of Java over other software?

Of the last 27 articles that you have authored, only 6 or 7 are about software vunerabilities, the rest are about the NSA. Of those 6 or 7 articles, 3 bash on Java for no reason other than your own personal ignorance on the subject. You are not a technical writer, stick to what you know.

code once, run anywhere is a bunch of bullshit that does not exist. It doesn't even exist for webpages, let alone native applications. While there can be portions of code, libraries, etc, that can be easily ported/recompiled, any piece of software that is coded once to run everywhere will be horrible.

You must be thinking of GUI applications. For GUI applications I will somewhat agree with you. They are less than ideal, but not necessarily horrible as you say. And some even have good user interface experiences with pure cross platform code.

But now let's talk about code that has no user interface. Write once run everywhere works FANTASTIC for that use case. And it works perfectly.

While I think some people seem to be taking this in a bizarrely personal manner, i do think they might possibly have a bit of a point about Java security.

Dan Goodin wrote:

Ars continues to recommend that individuals carefully evaluate their system needs and consider uninstalling Java altogether, keeping the Java runtime installed but uninstalling all Java browser plugins, or using a dedicated browser for those sites that require Java and using a different browser for viewing all other pages.

We know the browser plugin is full of holes so the second and third points are good.

However, does having desktop Java installed without any browser plugins decrease your computer's security? What about running a Java desktop app? The answers to these questions may undermine the first recommendation, or they may not. Can anyone clear this up?

Again, critics who haven't taken the time to read my past coverage, or read stories that make up less than one percent of my previous coverage, lack credibility when making the argument that I highlight Java threats over other platforms.

If Oracle is serious about improving Java security, the very first thing they should do is change the updater so it doesn't cause an unsolicited UAC prompt just to check for a new version. It's astonishing that they have not done so.

Microsoft expressly discourages doing this to minimize user disruption and so the rule of thumb can be to always deny unsolicited prompts. If a non-technical user follows Microsoft's advice hoping to stay safe and has Java installed, it might never be updated at all.

However, I suspect that an even bigger issue is Oracle ending support for Java 6 less than two years after Java 7 was released. I think that some people who invested in custom developed software are going to be very hesitant to have it developed in Java next time around. Having to support bug fixes in your software is a pain. Having to to do a porting effort and extensive testing to move to a new Java version two years after developing to the latest version because Oracle refuses to continue providing their own bug fixes sounds like something that would result in major policy changes.

Companies must acknowledge at this point that no matter what the platform you write in is, you must keep up with the language as well as the application. If you're ignoring updates (securities, features, etc.), you are waiting to drop a huge amount of time and money into it versus continuously doing it. Test and build automation only makes finding breaking changes easier.

Again, critics who haven't taken the time to read my past coverage, or read stories that make up less than one percent of my previous coverage, lack credibility when making the argument that I highlight Java threats over other platforms.

And you don't think it'd help if you posted a single link to one of your articles where the same argument to another platform - "People don't install security patches therefore Platform X is insecure" - was made?

Because a quick look through your last 30 or so articles doesn't show any..

If Oracle is serious about improving Java security, the very first thing they should do is change the updater so it doesn't cause an unsolicited UAC prompt just to check for a new version. It's astonishing that they have not done so.

This on the other hand would really warrant an article. Mentioning the sad, sad fact that there's still no 64bit auto updater under Windows wouldn't go amiss either.

It's breathtaking how critics keep slicing up tiny fragments of my coverage to support the argument I pursue some special bias against Java. Keep them coming, please. You're only amplifying the point I'm trying to make.

It's breathtaking how critics keep slicing up tiny fragments of my coverage to support the argument I pursue some special bias against Java. Keep them coming, please. You're only amplifying the point I'm trying to make.

So more handwaving it is then?

Actually I really don't see why anyone would have to find some existing pattern in your overall writing to point out failings in some lackluster article?

Is there anything in these articles other than "People who don't install security patches are vulnerable to exploits that these security patches fixed"? Because I don't see anything. And that theme applies to every software ever and has been known for decades. Patch tuesdays and malware wednesdays are nothing new.

It's breathtaking how critics keep slicing up tiny fragments of my coverage to support the argument I pursue some special bias against Java. Keep them coming, please. You're only amplifying the point I'm trying to make.

So more handwaving it is then?

Actually I really don't see why anyone would have to find some existing pattern in your overall writing to point out failings in some lackluster article?

Is there anything in these articles other than "People who don't install security patches are vulnerable to exploits that these security patches fixed"? Because I don't see anything. And that theme applies to every software ever and has been known for decades. Patch tuesdays and malware wednesdays are nothing new.

Many large companies still use the older release because their Java apps don't work on the latest one

This one should read

article wrote:

Many large companies still use the older release because they don't properly maintain their software with the latest versions of frameworks that they chose to utilize

Want to guess how I know you've never developed software in a corporate enterprise environment?

Sure. It's because you don't know what you're talking about.

I never said maintaining up to date software is not difficult, time consuming, resource intensive, and many times made impractical by business concerns.

I'm saying that the first rule in security is ensuring you have the latest versions of the software you're running - patches, updates, frameworks, whatever. And if you're not running the latest software, your systems will be vulnerable. A company that sells software that uses java without a plan to upgrade when newer versions come out isn't doing it right. A company that buys software without ensuring that it can be properly maintained has made a mistake.

Security is not easy. But put the blame where it's due, and in this case, it's anyone using java without an upgrade strategy, not java or Oracle's management of java, in this case.

If you wrote an article about the horrible state of Java's auto updater (and the fact that 64bit Java still doesn't have one - under Windows at least) and how this causes people to have outdated Java versions - that would a) maybe get Oracle to work a bit harder on this problem and b) certainly not meet as much criticism as these articles because clearly there's a problem that should be addressed (some people will always complain certainly)

I'm sometimes baffled by all the hate on Java, and then I dig for details, and see that it's coming from people tricked into running it on the desktop or in a browser.

Java is useful, but it does not belong anywhere near end-users. It's fine server-side.

While I agree that lately Oracle dropped the ball in the security area and deserves to be bashed for that, frequently I see articles here in Ars fueling this flame war due the simplist way things are reported in the headlines. I understand it's really hard to be syntethic enough and manage to shove all relevant info in two lines of text, but the result is most of discussions about Java here (and probably in other sites, too) derails to people distilling too much Hate-o-rade(tm) for nothing. I think spending a bit more of thought while concepting the headlines may at least diminishes the avalanche of flames.

To people simply suggesting C#, Python, PHP, <insert_your_preferred_language_here> as better solutions: you will ALWAYS find people running vulnerable and outdated versions of all those languages for a reason or another; either because they are hostage of ancient incompatible systems, too slow IT department upgrade policies, or just plain lazy people doing what lazy people does to prevent troubles: nothing.

Many large companies still use the older release because their Java apps don't work on the latest one

This one should read

article wrote:

Many large companies still use the older release because they don't properly maintain their software with the latest versions of frameworks that they chose to utilize

Want to guess how I know you've never developed software in a corporate enterprise environment?

Sure. It's because you don't know what you're talking about.

I never said maintaining up to date software is not difficult, time consuming, resource intensive, and many times made impractical by business concerns.

I'm saying that the first rule in security is ensuring you have the latest versions of the software you're running - patches, updates, frameworks, whatever. And if you're not running the latest software, you're systems will be vulnerable. A company that sells software that uses java without a plan to upgrade when newer versions come out isn't doing it right. A company that buys software without ensuring that it can be properly maintained has made a mistake.

Security is not easy. But put the blame where it's due, and in this case, it's anyone using java without an upgrade strategy, not java or Oracle's management of java, in this case.

Also - don't be an asshat. That was not a friendly tone.

*claims another poster doesn't know what he's talking about and calls him an asshat**complains about a 'friendly tone'*

Your tone is not much better, pal. And guess what, I do happen to know what I'm talking about - the software I'm working on right now is currently deployed on tens of thousands of live production machines, machines that for business reasons way beyond my pay grade will never be updated, despite my protests.

In a large enough corporate environment the people that actually know their ass from a hole in the ground are almost never the people that actually make any significant decisions. Dropping support for Java 6 so quickly has left an awful lot of people hanging.

If Oracle is serious about improving Java security, the very first thing they should do is change the updater so it doesn't cause an unsolicited UAC prompt just to check for a new version. It's astonishing that they have not done so.

Microsoft expressly discourages doing this to minimize user disruption and so the rule of thumb can be to always deny unsolicited prompts. If a non-technical user follows Microsoft's advice hoping to stay safe and has Java installed, it might never be updated at all.

And before that, they should just stop trying to install shovelware like Ask.com toolbars and McAfee trials.

If you wrote an article about the horrible state of Java's auto updater (and the fact that 64bit Java still doesn't have one - under Windows at least) and how this causes people to have outdated Java versions - that would a) maybe get Oracle to work a bit harder on this problem and b) certainly not meet as much criticism as these articles because clearly there's a problem that should be addressed (some people will always complain certainly)

And looking through the comments I don't see any negative comments directed towards Dan or for the matter people defending the horrible update process. It obviously quickly derails into a "Java is a horrible language" "No it's not" warfare, but oh well it's the internet.

So doesn't seem like there's some Java fanboy group amongst ars readers that will defend it against any kind of criticism.

If you wrote an article about the horrible state of Java's auto updater (and the fact that 64bit Java still doesn't have one - under Windows at least) and how this causes people to have outdated Java versions - that would a) maybe get Oracle to work a bit harder on this problem and b) certainly not meet as much criticism as these articles because clearly there's a problem that should be addressed (some people will always complain certainly)

Right, articles like that. That article, by a different author, did not generate comments criticizing the article and the author (based on a quick read of the first couple pages of comments). It generated a bunch of complaints about the installation, and other Oracle policies that I agree are pretty bad. You seem to be trying to one-up Voo42, but you're making his case, so I'm a little confused by your comment.

If you wrote an article about the horrible state of Java's auto updater (and the fact that 64bit Java still doesn't have one - under Windows at least) and how this causes people to have outdated Java versions - that would a) maybe get Oracle to work a bit harder on this problem and b) certainly not meet as much criticism as these articles because clearly there's a problem that should be addressed (some people will always complain certainly)

Right, articles like that. That article, by a different author, did not generate comments criticizing the article and the author (based on a quick read of the first couple pages of comments). It generated a bunch of complaints about the installation, and other Oracle policies that I agree are pretty bad. You seem to be trying to one-up Voo42, but you're making his case, so I'm a little confused by your comment.

So you're suggesting we do multiple articles about the Java installer sucking, but fewer about unpatched vulnerabilities in older versions of Java with lots of installs. Ok, got it.

If you wrote an article about the horrible state of Java's auto updater (and the fact that 64bit Java still doesn't have one - under Windows at least) and how this causes people to have outdated Java versions - that would a) maybe get Oracle to work a bit harder on this problem and b) certainly not meet as much criticism as these articles because clearly there's a problem that should be addressed (some people will always complain certainly)

Right, articles like that. That article, by a different author, did not generate comments criticizing the article and the author (based on a quick read of the first couple pages of comments). It generated a bunch of complaints about the installation, and other Oracle policies that I agree are pretty bad. You seem to be trying to one-up Voo42, but you're making his case, so I'm a little confused by your comment.

So you're suggesting we do multiple articles about the Java installer sucking, but fewer about unpatched vulnerabilities in older versions of Java with lots of installs. Ok, got it.

There's an important difference about the two articles though: There's clearly a problem going on with the updater/auto updater that *could* be fixed by Oracle while I'm not aware of any perfect solution to "Users aren't installing our security patches and are vulnerable to the exploits those patches fix!". Also the first one is specific to Java while the second one is a very general problem that every major software company faces (i.e. I can take the article replace "Oracle/Java" with some other company/product combination and I'll have just as valid an article)

The best solution is probably silently auto updating ala Chrome for normal users under the assumption that that's not especially likely to break things for them and giving businesses another option. Which again then is a topic about the updater.

I wrote and have been maintaining an open source network directory management system in Java for the last 18 years. (Check out Ganymede software in Wikipedia).

I don't believe I've ever had any problem running either the server or graphical clients on version n+1 of Java during that time.. up until this week when Oracle instituted much harsher controls on running Java Web Start apps that aren't signed with a code signing cert from a CA that they support.

With Java 7.0_40, all my users are now getting a big pop-up dialog warning about the app being self-signed each and every time they run it (with no way to opt out), along with a threat that future versions of Java may prevent such apps from being run at all.

That's a major, major change to how things have worked with Java, and demonstrates that Oracle has really gotten religion about improving their security posture on the web. I don't think they had any other choice after the horrific security problems they've had with applets and downloaded apps on the open web, but it's still to their credit that they're locking things down so aggressively now.

(And maybe this change is something Dan Goodin could also mention?)

I remember what it was like developing system management code before Java, and I'd hate to have to go back to using C{++} and Perl for everything. Using PHP and JavaScript or Python and JavaScript doesn't excite me much either.. I like being able to depend on distributed garbage collection via RMI.

So you're suggesting we do multiple articles about the Java installer sucking, but fewer about unpatched vulnerabilities in older versions of Java with lots of installs. Ok, got it.

Not at all - looks like you've got the java installer sucking covered. Sorry, I was just trying to ask you to clarify whether your intention was to back up Voo42's comment or to counter it - I wasn't clear on your conclusion.

So - was your intention to back Voo42 up, or to counter him?

Also - not fewer articles about oracle dropping support for old versions of software, but just proper terminology and fewer contradictions when writing sub-headlines for such articles (i.e., not this one, but the previous article on a very similar topic). (Voo may be saying something else, but this is what I'm saying.)

There's an important difference about the two articles though: There's clearly a problem going on with the updater/auto updater that *could* be fixed by Oracle while I'm not aware of any perfect solution to "Users aren't installing our security patches and are vulnerable to the exploits those patches fix!". Also the first one is specific to Java while the second one is a very general problem that every major software company faces (i.e. I can take the article replace "Oracle/Java" with some other company/product combination and I'll have just as valid an article)

The best solution is probably silently auto updating ala Chrome for normal users under the assumption that that's not especially likely to break things for them and giving businesses another option. Which again then is a topic about the updater.

I think an auto-updater like Chrome would certainly be a good thing, even better a few years ago. I am curious how all these users ended up on an old version, and if they would even be updating if there was an automatic installer. For example, if they are in a controlled environment with old software requirements. In these situations an auto-updater would have almost no effect, and users would still be vulnerable.

While I think some people seem to be taking this in a bizarrely personal manner, i do think they might possibly have a bit of a point about Java security.

Dan Goodin wrote:

Ars continues to recommend that individuals carefully evaluate their system needs and consider uninstalling Java altogether, keeping the Java runtime installed but uninstalling all Java browser plugins, or using a dedicated browser for those sites that require Java and using a different browser for viewing all other pages.

We know the browser plugin is full of holes so the second and third points are good.

However, does having desktop Java installed without any browser plugins decrease your computer's security? What about running a Java desktop app? The answers to these questions may undermine the first recommendation, or they may not. Can anyone clear this up?

Yeah, I agree that many commenters are taking things unnecessary personally. I've never understood the impulse to take offense at information that may cast a particular product or technology platform in a negative light, but I do know the reaction is extremely powerful -- and usually frustrating no matter which side of the debate you happen to fall.

To answer your question about having desktop Java installed. There's near unanimity among with whitehat and blackhat hackers that the more "attack surface" a computer has the more vulnerable it will be to attacks. As a result, many advise that users uninstall software and services they don't use. I have long echoed this advice, and that includes not just Java, but .Net, Silverlight and other frameworks and apps as well.

Please also pay extra careful attention to the way I phrased the advice in the article. I didn't say all people in all cases should uninstall the Java runtime. I said people should "carefully evaluate their system needs and *consider*" [emphasis added] several options, only one of which is "uninstalling Java altogether." I suspect that these important nuances may have gotten lost in the heat of battle.

So you're suggesting we do multiple articles about the Java installer sucking, but fewer about unpatched vulnerabilities in older versions of Java with lots of installs. Ok, got it.

Not at all - looks like you've got the java installer sucking covered. Sorry, I was just trying to ask you to clarify whether your intention was to back up Voo42's comment or to counter it - I wasn't clear on your conclusion.

So - was your intention to back Voo42 up, or to counter him?

Also - not fewer articles about oracle dropping support for old versions of software, but just proper terminology and fewer contradictions when writing sub-headlines for such articles (i.e., not this one, but the previous article on a very similar topic). (Voo may be saying something else, but this is what I'm saying.)

He seemed to be calling for more coverage of the updater, and I was just trying to point out that we have already covered that topic.

If you wrote an article about the horrible state of Java's auto updater (and the fact that 64bit Java still doesn't have one - under Windows at least) and how this causes people to have outdated Java versions - that would a) maybe get Oracle to work a bit harder on this problem and b) certainly not meet as much criticism as these articles because clearly there's a problem that should be addressed (some people will always complain certainly)

And looking through the comments I don't see any negative comments directed towards Dan or for the matter people defending the horrible update process. It obviously quickly derails into a "Java is a horrible language" "No it's not" warfare, but oh well it's the internet.

So doesn't seem like there's some Java fanboy group amongst ars readers that will defend it against any kind of criticism.

Also - and sorry to be quoting the same comment again - but I think by posting that article link, you might have missed Voo42's point - the pain involved in upgrading is the actual problem, not that Java end of life'd a product. This is why the linked article wouldn't receive as much criticism as the current article.

So you're suggesting we do multiple articles about the Java installer sucking, but fewer about unpatched vulnerabilities in older versions of Java with lots of installs. Ok, got it.

Not at all - looks like you've got the java installer sucking covered. Sorry, I was just trying to ask you to clarify whether your intention was to back up Voo42's comment or to counter it - I wasn't clear on your conclusion.

So - was your intention to back Voo42 up, or to counter him?

Also - not fewer articles about oracle dropping support for old versions of software, but just proper terminology and fewer contradictions when writing sub-headlines for such articles (i.e., not this one, but the previous article on a very similar topic). (Voo may be saying something else, but this is what I'm saying.)

He seemed to be calling for more coverage of the updater, and I was just trying to point out that we have already covered that topic.

No that wasn't my attention at all. What I was trying to say was that contrary what Dan seems to believe - to quote himself - "I've never understood the impulse to take offense at information that may cast a particular product or technology platform in a negative light", that the criticism here is not due to the fact that somebody says bad things about Java, but that several people think it is an unfair criticism that could be applied to any software ever written.

And the fact that you could point to a specific article that clearly shows Java/Oracle in a negative light, without garnering any negative comments from the audience (well, let's say almost none there are always some people) demonstrates that this can't be that wrong.

[quote="No that wasn't my attention at all. What I was trying to say was that contrary what Dan seems to believe - to quote himself - "I've never understood the impulse to take offense at information that may cast a particular product or technology platform in a negative light", that the criticism here is not due to the fact that somebody says bad things about Java, but that several people think it is an unfair criticism that could be applied to any software ever written.

You're quoting me out of context. The observation wasn't addressing any comments you made. It was made in response to a specific comment and I was intended to describe the variety of personal attacks some people have left in this discussion.

Also - and sorry to be quoting the same comment again - but I think by posting that article link, you might have missed Voo42's point - the pain involved in upgrading is the actual problem, not that Java end of life'd a product. This is why the linked article wouldn't receive as much criticism as the current article.

To blame it all on the updater seems myopic to me. What about all the people that are unable to update Java for other reasons. Yes, I know they *should* be running the most recent Java, but given the huge 1.6 install #s shouldn't Oracle still be backporting security patches? It's not as if they're short on resources!

While I think some people seem to be taking this in a bizarrely personal manner, i do think they might possibly have a bit of a point about Java security.

Dan Goodin wrote:

Ars continues to recommend that individuals carefully evaluate their system needs and consider uninstalling Java altogether, keeping the Java runtime installed but uninstalling all Java browser plugins, or using a dedicated browser for those sites that require Java and using a different browser for viewing all other pages.

We know the browser plugin is full of holes so the second and third points are good.

However, does having desktop Java installed without any browser plugins decrease your computer's security? What about running a Java desktop app? The answers to these questions may undermine the first recommendation, or they may not. Can anyone clear this up?

Yeah, I agree that many commenters are taking things unnecessary personally. I've never understood the impulse to take offense at information that may cast a particular product or technology platform in a negative light, but I do know the reaction is extremely powerful -- and usually frustrating no matter which side of the debate you happen to fall.

To answer your question about having desktop Java installed. There's near unanimity among with whitehat and blackhat hackers that the more "attack surface" a computer has the more vulnerable it will be to attacks. As a result, many advise that users uninstall software and services they don't use. I have long echoed this advice, and that includes not just Java, but .Net, Silverlight and other frameworks and apps as well.

Please also pay extra careful attention to the way I phrased the advice in the article. I didn't say all people in all cases should uninstall the Java runtime. I said people should "carefully evaluate their system needs and *consider*" [emphasis added] several options, only one of which is "uninstalling Java altogether." I suspect that these important nuances may have gotten lost in the heat of battle.

I hope that answers your question.

It does, thank you kindly. I must admit that nuance did elude me until you spelled it out.

Also - and sorry to be quoting the same comment again - but I think by posting that article link, you might have missed Voo42's point - the pain involved in upgrading is the actual problem, not that Java end of life'd a product. This is why the linked article wouldn't receive as much criticism as the current article.

To blame it all on the updater seems myopic to me. What about all the people that are unable to update Java for other reasons. Yes, I know they *should* be running the most recent Java, but given the huge 1.6 install #s shouldn't Oracle still be backporting security patches? It's not as if they're short on resources!

Not to defend Oracle dropping security support for Java 6 so soon, but they do run hundreds of thousands of regression tests when they build a JDK. I'm sort of surprised that many people have trouble moving to Java 7.

[quote="No that wasn't my attention at all. What I was trying to say was that contrary what Dan seems to believe - to quote himself - "I've never understood the impulse to take offense at information that may cast a particular product or technology platform in a negative light", that the criticism here is not due to the fact that somebody says bad things about Java, but that several people think it is an unfair criticism that could be applied to any software ever written.

You're quoting me out of context. The observation wasn't addressing any comments you made. It was made in response to a specific comment and I was intended to describe the variety of personal attacks some people have left in this discussion.

Sorry that wasn't my attention, I actually read your comment as applicable to the general discussion here including comments made by me since the person you were replying to seemed to be going for this interpretation.

A misunderstanding then, I certainly weren't trying to twist the words in your mouth.

Also - and sorry to be quoting the same comment again - but I think by posting that article link, you might have missed Voo42's point - the pain involved in upgrading is the actual problem, not that Java end of life'd a product. This is why the linked article wouldn't receive as much criticism as the current article.

To blame it all on the updater seems myopic to me. What about all the people that are unable to update Java for other reasons. Yes, I know they *should* be running the most recent Java, but given the huge 1.6 install #s shouldn't Oracle still be backporting security patches? It's not as if they're short on resources!

Again, I think you've missed the point.

I didn't intend to blame all upgrade issues on the updater - but that this would be a more legitimate gripe against Oracle and Java. All of those other reasons it becomes a maintenance pain, I would generally blame on developers who utilize Java but don't provide updated software, including the latest Java framework, to their users.

I wouldn't guess that this is because they're short on resources, but I would guess more likely that they have an interest in pushing users to the latest version - especially since they seem to be exerting more control on the platform (as per a previous comment about java web start).